4481a12f2cf53c34e74eba7c3c8d895536b447f59267a8dc577128436b06e975

General

Target

4481a12f2cf53c34e74eba7c3c8d895536b447f59267a8dc577128436b06e975.exe
Size

1.3MB
MD5

5257632f938121f309bc5e21cb5e6841
SHA1

f2dd233525ba805a0fa13dbc62eb5c8fa2754a64
SHA256

4481a12f2cf53c34e74eba7c3c8d895536b447f59267a8dc577128436b06e975
SHA512

71fd6e705bce887f53bc925585e18c8863816559ca1ce481b433f79fb6a469f0e6523ca397f2c88c377fda2f1a96d1cd3fa7525ded620af7b513c76e6f995e2d

Score

8^/10

aspackv2

Malware Config

Signatures

ASPack v2.12-2.42 2 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\restartok4481a12f2cf53c34e74eba7c3c8d895536b447f59267a8dc577128436b06e975.exe	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\restartok4481a12f2cf53c34e74eba7c3c8d895536b447f59267a8dc577128436b06e975.exe	aspack_v212_v242

Executes dropped EXE 1 IoCs

Processes:

restartok4481a12f2cf53c34e74eba7c3c8d895536b447f59267a8dc577128436b06e975.exe

pid process

2024 restartok4481a12f2cf53c34e74eba7c3c8d895536b447f59267a8dc577128436b06e975.exe
Loads dropped DLL 1 IoCs

Processes:

4481a12f2cf53c34e74eba7c3c8d895536b447f59267a8dc577128436b06e975.exe

pid process

560 4481a12f2cf53c34e74eba7c3c8d895536b447f59267a8dc577128436b06e975.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 30 IoCs

Processes:

4481a12f2cf53c34e74eba7c3c8d895536b447f59267a8dc577128436b06e975.exe

pid	process
560	4481a12f2cf53c34e74eba7c3c8d895536b447f59267a8dc577128436b06e975.exe
560	4481a12f2cf53c34e74eba7c3c8d895536b447f59267a8dc577128436b06e975.exe
560	4481a12f2cf53c34e74eba7c3c8d895536b447f59267a8dc577128436b06e975.exe
560	4481a12f2cf53c34e74eba7c3c8d895536b447f59267a8dc577128436b06e975.exe
560	4481a12f2cf53c34e74eba7c3c8d895536b447f59267a8dc577128436b06e975.exe
560	4481a12f2cf53c34e74eba7c3c8d895536b447f59267a8dc577128436b06e975.exe
560	4481a12f2cf53c34e74eba7c3c8d895536b447f59267a8dc577128436b06e975.exe
560	4481a12f2cf53c34e74eba7c3c8d895536b447f59267a8dc577128436b06e975.exe
560	4481a12f2cf53c34e74eba7c3c8d895536b447f59267a8dc577128436b06e975.exe
560	4481a12f2cf53c34e74eba7c3c8d895536b447f59267a8dc577128436b06e975.exe
560	4481a12f2cf53c34e74eba7c3c8d895536b447f59267a8dc577128436b06e975.exe
560	4481a12f2cf53c34e74eba7c3c8d895536b447f59267a8dc577128436b06e975.exe
560	4481a12f2cf53c34e74eba7c3c8d895536b447f59267a8dc577128436b06e975.exe
560	4481a12f2cf53c34e74eba7c3c8d895536b447f59267a8dc577128436b06e975.exe
560	4481a12f2cf53c34e74eba7c3c8d895536b447f59267a8dc577128436b06e975.exe
560	4481a12f2cf53c34e74eba7c3c8d895536b447f59267a8dc577128436b06e975.exe
560	4481a12f2cf53c34e74eba7c3c8d895536b447f59267a8dc577128436b06e975.exe
560	4481a12f2cf53c34e74eba7c3c8d895536b447f59267a8dc577128436b06e975.exe
560	4481a12f2cf53c34e74eba7c3c8d895536b447f59267a8dc577128436b06e975.exe
560	4481a12f2cf53c34e74eba7c3c8d895536b447f59267a8dc577128436b06e975.exe
560	4481a12f2cf53c34e74eba7c3c8d895536b447f59267a8dc577128436b06e975.exe
560	4481a12f2cf53c34e74eba7c3c8d895536b447f59267a8dc577128436b06e975.exe
560	4481a12f2cf53c34e74eba7c3c8d895536b447f59267a8dc577128436b06e975.exe
560	4481a12f2cf53c34e74eba7c3c8d895536b447f59267a8dc577128436b06e975.exe
560	4481a12f2cf53c34e74eba7c3c8d895536b447f59267a8dc577128436b06e975.exe
560	4481a12f2cf53c34e74eba7c3c8d895536b447f59267a8dc577128436b06e975.exe
560	4481a12f2cf53c34e74eba7c3c8d895536b447f59267a8dc577128436b06e975.exe
560	4481a12f2cf53c34e74eba7c3c8d895536b447f59267a8dc577128436b06e975.exe
560	4481a12f2cf53c34e74eba7c3c8d895536b447f59267a8dc577128436b06e975.exe
560	4481a12f2cf53c34e74eba7c3c8d895536b447f59267a8dc577128436b06e975.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

restartok4481a12f2cf53c34e74eba7c3c8d895536b447f59267a8dc577128436b06e975.exe4481a12f2cf53c34e74eba7c3c8d895536b447f59267a8dc577128436b06e975.exe

pid	process
2024	restartok4481a12f2cf53c34e74eba7c3c8d895536b447f59267a8dc577128436b06e975.exe
2024	restartok4481a12f2cf53c34e74eba7c3c8d895536b447f59267a8dc577128436b06e975.exe
560	4481a12f2cf53c34e74eba7c3c8d895536b447f59267a8dc577128436b06e975.exe
560	4481a12f2cf53c34e74eba7c3c8d895536b447f59267a8dc577128436b06e975.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

4481a12f2cf53c34e74eba7c3c8d895536b447f59267a8dc577128436b06e975.exe

description	pid	process	target process
PID 560 wrote to memory of 2024	560	4481a12f2cf53c34e74eba7c3c8d895536b447f59267a8dc577128436b06e975.exe	restartok4481a12f2cf53c34e74eba7c3c8d895536b447f59267a8dc577128436b06e975.exe
PID 560 wrote to memory of 2024	560	4481a12f2cf53c34e74eba7c3c8d895536b447f59267a8dc577128436b06e975.exe	restartok4481a12f2cf53c34e74eba7c3c8d895536b447f59267a8dc577128436b06e975.exe
PID 560 wrote to memory of 2024	560	4481a12f2cf53c34e74eba7c3c8d895536b447f59267a8dc577128436b06e975.exe	restartok4481a12f2cf53c34e74eba7c3c8d895536b447f59267a8dc577128436b06e975.exe
PID 560 wrote to memory of 2024	560	4481a12f2cf53c34e74eba7c3c8d895536b447f59267a8dc577128436b06e975.exe	restartok4481a12f2cf53c34e74eba7c3c8d895536b447f59267a8dc577128436b06e975.exe

C:\Users\Admin\AppData\Local\Temp\4481a12f2cf53c34e74eba7c3c8d895536b447f59267a8dc577128436b06e975.exe
"C:\Users\Admin\AppData\Local\Temp\4481a12f2cf53c34e74eba7c3c8d895536b447f59267a8dc577128436b06e975.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:560

C:\Users\Admin\AppData\Local\Temp\restartok4481a12f2cf53c34e74eba7c3c8d895536b447f59267a8dc577128436b06e975.exe
"C:\Users\Admin\AppData\Local\Temp\restartok4481a12f2cf53c34e74eba7c3c8d895536b447f59267a8dc577128436b06e975.exe" ad
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2024

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\restartok4481a12f2cf53c34e74eba7c3c8d895536b447f59267a8dc577128436b06e975.exe
Filesize
1.3MB

MD5
5257632f938121f309bc5e21cb5e6841

SHA1
f2dd233525ba805a0fa13dbc62eb5c8fa2754a64

SHA256
4481a12f2cf53c34e74eba7c3c8d895536b447f59267a8dc577128436b06e975

SHA512
71fd6e705bce887f53bc925585e18c8863816559ca1ce481b433f79fb6a469f0e6523ca397f2c88c377fda2f1a96d1cd3fa7525ded620af7b513c76e6f995e2d

Download Submit
\Users\Admin\AppData\Local\Temp\restartok4481a12f2cf53c34e74eba7c3c8d895536b447f59267a8dc577128436b06e975.exe
Filesize
1.3MB

MD5
5257632f938121f309bc5e21cb5e6841

SHA1
f2dd233525ba805a0fa13dbc62eb5c8fa2754a64

SHA256
4481a12f2cf53c34e74eba7c3c8d895536b447f59267a8dc577128436b06e975

SHA512
71fd6e705bce887f53bc925585e18c8863816559ca1ce481b433f79fb6a469f0e6523ca397f2c88c377fda2f1a96d1cd3fa7525ded620af7b513c76e6f995e2d

Download Submit
memory/560-54-0x0000000075271000-0x0000000075273000-memory.dmp

Filesize
8KB

Download
memory/560-59-0x0000000000400000-0x0000000000834000-memory.dmp

Filesize
4.2MB

Download
memory/560-60-0x0000000005160000-0x0000000005594000-memory.dmp

Filesize
4.2MB

Download
memory/560-62-0x0000000000400000-0x0000000000834000-memory.dmp

Filesize
4.2MB

Download
memory/560-63-0x0000000005160000-0x0000000005594000-memory.dmp

Filesize
4.2MB

Download
memory/2024-56-0x0000000000000000-mapping.dmp

Download
memory/2024-61-0x0000000000400000-0x0000000000834000-memory.dmp

Filesize
4.2MB

Download
memory/2024-64-0x0000000000400000-0x0000000000834000-memory.dmp

Filesize
4.2MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads